Texas Doubles Down On Tough Breach Law - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Open Government
09:19 PM
Nathan Taylor
Nathan Taylor

Texas Doubles Down On Tough Breach Law

Everything is bigger in the Lone Star State -- even the state's breach notice requirements, which, constitutional or not, may impact companies nationwide. Here's what IT teams need to know.

If you thought the 2011 expansion of the Texas security breach notification law was confusing, wait until you see the state's latest move. Texas has once again amended its statute, this time in an apparent attempt to address concerns raised with the law's scope. Unfortunately, Texas Senate Bill 1610, which Gov. Rick Perry signed on June 14, makes the law even broader than it was before -- and certainly no less confusing or problematic.

Some background: Before Sept. 1, 2012, when the last amendment took effect, the Texas breach law resembled those of all other states. Essentially, a person who conducted business in Texas was required to provide notice "to any resident of this state" (i.e., Texas) whose sensitive personal information was involved in a breach incident. The law imposed no obligation on companies if a breach also involved information relating to residents of other states. As a result, through August 2012, the Texas law was in harmony with other state breach laws, which are understood to apply only to information relating to residents of the respective state.

What changed in 2012? In a previous amendment to the Texas breach law, the Texas Legislature struck the critical phrase "to any resident of this state" from its notification requirement and replaced it with "to any individual." This amendment by itself would have extended application of the Texas law to all U.S. residents. Even though this notice provision was broadly drawn, the amended law included a limiting component: For any particular breach, notice to residents of states other than Texas was required under Texas law only when notice would not be required under the laws of those other states.

The amended Texas law was far from a model of clarity, but the intent seemed clear: to require notice to residents of at least some states other than Texas. In this regard, the law stood in stark contrast to typical state breach laws, which don't attempt to reach beyond state borders. For example, if a business experiences a security incident involving information relating to California and New York residents, the business must determine whether the California and New York laws require notice to their respective residents. What the Texas law appeared to say was that if, for example, the California law would not require notice of that breach, the Texas law would apply and notice would be required for affected California residents.

In fact, the Texas law could be read to apply to a breach involving residents of states other than Texas even if the breach did not occur in Texas and did not involve information regarding Texas residents at all.

Not surprisingly, this provision raised constitutional and other concerns. For example, would Texas seek to enforce its "nationwide" notification provision against a company for an incident occurring outside of Texas and involving information regarding residents of states other than Texas, simply because that company conducts business in Texas? Although such an enforcement action may have been unlikely, the amended law seemed inconsistent with the constitutional law principle referred to as the "dormant Commerce Clause" doctrine, which limits the ability of a state to apply its law to commerce that takes place outside of the state's borders. As a result, the Texas law appeared vulnerable to constitutional attack because it attempted to expressly regulate out-of-state conduct.

Texas lawmakers, however, evidently saw the problem differently. On June 14, 2013, Gov. Perry signed into law S.B. 1610 to once again amend the Texas law. S.B. 1610 leaves in place the requirement to notify "any individual" of a breach, regardless of the state of residence of that individual. But the amendment removed the component limiting notice to Texas residents and residents of other states that did not require notice of a particular breach. In its place, the Texas law now clarifies that if a breach involves information regarding a resident of a state other than Texas, and that state's law requires notice of the incident, a person conducting business in Texas may provide notice of the breach "under that state's law" or under the Texas law.

As a result, the Texas law not only retains its broad extraterritorial reach, it now appears to be attempting to pre-empt other state breach laws.

Say a person conducting business in Texas experiences a breach involving information regarding California residents. The Texas law would appear to apply to that incident, but the business may provide notice under the California law or the Texas law. The Texas senator who introduced S.B. 1610 explained that the bill's purpose was to remedy the "unintended consequences" of the previous amendments, which had created "substantive and unnecessary administrative burden[s]." That unintended consequence? Not the potential nationwide reach of the law, but the burden apparently imposed on Texas businesses to "be aware of the breach notification laws of every state and any potential changes to them."

In other words, the diagnosis was that the previous amendment was flawed because it required businesses to be aware of the laws of those states in which they do business.

Now, the fact that 50 U.S. states and jurisdictions (46 states, the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands) have security breach laws can certainly complicate compliance for a nationwide breach incident. S.B. 1610 seems to try to solve this multijurisdictional challenge by telling Texas businesses that they don't have to worry about the laws of other states. Specifically, the bill was intended to eliminate the need "to monitor the [breach-related] legislative developments of other states." Even though a business that maintains information relating to individuals that reside in multiple states must be aware of potential legal obligations that those states may impose with respect to that information, the Texas Legislature does not have the authority under our federal system to pre-empt the security breach laws of other states.

So what are the practical implications?

The Texas law, even as amended, continues to raise troubling issues. Among the questions deserving consideration are:

-- How will your business interpret the application of the Texas "nationwide" notification provision to breach incidents? Will your business provide notice of a breach to residents of a state other than Texas, even though that state's law would not require notice?

-- For any given incident, will it be relevant that the breach occurred outside of Texas or that the incident did not involve information regarding Texas residents?

-- Will your business rely on the Texas law to take the position that it can provide notice of a breach to residents of states other than Texas under the Texas law and not under the laws of other states? And if so, what exactly would it mean to provide notice under the Texas law?

Apparently even legal compliance hurdles are bigger in Texas. While the answers to these questions are far from clear, IT and security teams tasked with handling breaches should consider discussing these issues with counsel.

Adam Fleisher, an associate at Morrison & Foerster focusing on privacy and regulatory issues, contributed to this column.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Lorna Garey
Lorna Garey,
User Rank: Author
8/8/2013 | 2:15:42 PM
re: Texas Doubles Down On Tough Breach Law
I bet Texas DOES consider this pro-business - absolve in-state companies from having to care what other states' laws are.
Thomas Claburn
Thomas Claburn,
User Rank: Author
8/8/2013 | 2:14:40 AM
re: Texas Doubles Down On Tough Breach Law
Bills really should undergo the legal equivalent of unit testing before being implemented.
User Rank: Author
8/7/2013 | 6:14:54 PM
re: Texas Doubles Down On Tough Breach Law
For a state that prides itself on its pro-business environment, Texas has come up with one hairball of a regulation here.
AI Regulation: Has the Time Arrived?
John Edwards, Technology Journalist & Author,  2/24/2020
Fighting the Coronavirus with Analytics and GIS
Jessica Davis, Senior Editor, Enterprise Apps,  2/3/2020
IT Careers: 10 Job Skills in High Demand This Year
Cynthia Harvey, Freelance Journalist, InformationWeek,  2/3/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
Flash Poll